[CLUE-Tech] Apache on Debian

Timothy C. Klein teece at silverklein.net
Sat Nov 2 11:10:55 MST 2002 

* Jed S. Baer (thag at frii.com) wrote:
> On Sat, 2 Nov 2002 10:53:14 -0700
> "Timothy C. Klein" <teece at silverklein.net> wrote:
> 
> > > "Timothy C. Klein" <teece at silverklein.net> wrote:
> > > 
> > > > This is from the file /usr/share/doc/apache/README.Debian
> > > > 
> > > > "* The default webpages are owned by root.root by default (*not*
> > > >   www-data.www-data), so hackers will have a harder time defacing
> > > >   the site."
> > > 
> > > Interesting. I wonder how having the files owned by root makes it more
> > > difficult to deface the site. Presuming that ability to deface means
> > > you've been cracked, wouldn't it be better to get cracked as
> > > httpd:httpd or some such, than as root?
> > > 
> > 
> > The apache daemon runs as var-www, and web hacks that come through
> > apache will come through as user var-www.  So if the web pages are owned
> > by root, the cracker has to get root access after cracking the apache
> > webserver, or he won't be able to change any files.
> 
> Well, yes. I'd say their using root gives that description some aspect of
> a red herring. It could, in fact, be any user other than that under which
> the httpd processes are running. Using root makes one think "why should
> those file be owned by *root*", as opposed to what they really intended.
> 

I did not explain well.  Say there is a bug in apache, and it allows one
to try an modify an url.  These kinds of bugs are common.  With the way
Debian sets it up, if Apache has a bug, and an evil user tries to
overwrite a file in var-www, the *operating system* will stop them.
Many script kiddies look for these kinds of exploits, that allow one to
do nothing more than change the web page of a site.  With this simple
set up, such script kiddies are locked out, unless they also know some
way to get root on the box.

It really is more secure.  The apache process can not alter files in
var-www, as it does not have the permissions.  It shouldn't need to.
If it tries, it could be a bug or a crack attempt, and this prevents it.

Tim
--
==============================================
== Timothy Klein || teece at silverklein.net   ==
== ---------------------------------------- ==
== "Hello, World" 17 Errors, 31 Warnings... ==
==============================================

More information about the clue-tech mailing list